Amazon SageMaker
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. Amazon SageMaker

      Notebook Instance Publicly Accessible

      This plugin ensures that the Notebook Instance is not publically accessible.

      Risk Level: High

      Description: 

      This plugin ensures that the Notebook Instance is not publically accessible. It is suggested that the Sagemaker instances should not be exposed to the internet. The DirectInternetAccess attribute configures the public availability.

      About the Service :

      AWS SageMaker is a fully-managed ML instance that runs the open-source Web application Jupyter Notebook.SageMaker is an AWS service that allows developers and data engineers to design, train and deploy machine learning models fast and simply at all levels.

      Impact : 

      When your AWS SageMaker notebook instances are publicly available, any computer outside the VPC can create a connection to these instances, increasing the attack surface and the possibility for malicious behavior. It is suggested that the Amazon SageMaker notebook instances are not publicly accessible.

      Steps to reproduce :

      1. Log In to AWS Console.
      2. Navigate to the dashboard of the Sagemaker Service.
      3. Choose Notebook Instances under the Notebook section.
      4. From the list of Notebook Instances, select the one you want to examine.
      5. Within the Network section, check for any Virtual Private Cloud (VPC) network configuration details such as VPC subnet IDs and security group IDs. If it says: “No custom VPC settings applied” that means it is publically available.

      Steps for remediation :

      1. Log In to AWS Console.
      2. Navigate to the dashboard of the Sagemaker Service.
      3. Choose Notebook Instances under the Notebook section.
      4. From the list of Notebook Instances, select the one you want to examine.
      5. Within the Network section, check for any Virtual Private Cloud (VPC) network configuration details such as VPC subnet IDs and security group IDs. If it says: “No custom VPC settings applied” that means it is publically available.
      6. To ensure that your AWS SageMaker notebook instances are running inside a VPC, we need to re-create these instances with the necessary network configuration.
      7. Click Create Notebook instance button from the top right corner to start the setup process.
      8. Perform the required function on the Create Notebook instance page.
      9. Next in the tags options mention the required tags and click on Create Notebook instance to launch the new instance.
      10. Next move to the Notebook Instance tab to delete the necessary SageMaker instance.

       

      References: